About

My name is Andrew Caldwell. I’ve been an OS X admin going on 12 years now. Over the years I’ve gained a variety of experience in real world systems management, and want to pass some of this along to other admins in the hopes that they won’t spend too much time with their feet in the fire trying to figure out problems that aren’t well-documented. I’m trying to keep things as practical as possible, and try to update with new articles several times a week. So enjoy, I hope you find some information you can use for your own OS X management.

If there is a topic that you want to see covered, please leave a comment and I’ll see what I can do.

My first thought would be to use ‘dscl’ for that as a log in hook, and then as a log out hook, use dscl again to delete the contents of the Managed By field, but I don’t have experience doing that. All our users are non-admins, so there’s no real need to use the Managed By field in AD for us. Since all that field does is make whoever’s name is in that field a local administrator, it might be easier to use the ‘dseditgroup’ command to accomplish the same goal by granting membership in the admin group, and then using dseditgroup on logout to remove that membership. the commands you would use are ‘dseditgroup -o edit -a -t admin’ to grant admin rights on log in, and then ‘dseditgroup -o edit -d -t admin’ to revoke admin rights on log out.

It looks like the only option I might have is the bless command for netboot/install/restore but the issue I am running into is that the network admins have blocked bootp across subnets. The other two options I’ve been reading about involve adding more hardware to the network and that won’t be approved. Any thoughts?